Authentication Settings

• General Security:
  • Set Access Token Expiry (e.g., 1h) to control how long JWT access tokens remain valid.
  • Set Refresh Token Expiry (e.g., 7h) for the validity of refresh tokens.
  • Set Password Token Expiry (e.g., 1h) for “forgot password” links.
  • Define Public Routes (comma-separated API paths) that bypass authentication (e.g., /auth/login, /products). Public routes skip JWT checks but still respect business logic.
• Tenant Scoping (Row‑Level Security):
  • Enable multi-tenant configuration when multiple users belong to an account or when each user should only see their own records.
  • Choose a Tenant Model: select the table representing tenants (e.g., accounts for organization-level apps or users for single-user tenancy).
  • Set the Default Tenant Field Name: column to add for scoping (e.g., account_id or user_id).
  • Exclude Tables: choose tables that should not receive the tenant column (e.g., products, countries, or other global catalogs).
• Email (SMTP) Settings:
  • Configure your email provider’s SMTP Host & Port.
  • Provide SMTP Username & Password for sending emails.
  • Set a From Address (e.g., no-reply@yourdomain.com) and From Name (e.g., Your App).
  • Specify the Base URL where users complete password resets (e.g., https://yourapp.com).
  • Define a Password Reset Path containing a %s placeholder for the token, such as /reset-password?token=%s.
  • When users request a reset, the API generates a token and sends an email linking {BaseURL}{PasswordResetPath}, replacing %s with the token.
• Once configured, these authentication settings secure your API and enable user authentication flows.